Companies beware: The next big leak could be yours

SAN FRANCISCO — WikiLeaks' release of secret government communications is a warning to the world's biggest companies: You might be next.

Computer experts have warned for years about the threat posed by disgruntled insiders and by poorly crafted security policies, which give too much access to confidential data. And there is nothing about WikiLeaks' release of U.S. diplomatic documents to suggest that the group can't — or won't — use the same methods to reveal the secrets of powerful corporations.

And as WikiLeaks claims it has incriminating documents from a major U.S. bank, possibly Bank of America, there's new urgency to addressing information security inside corporations and a reminder of its limits when confronted with a determined insider.

At risk are e-mails, documents, databases and internal Web sites that companies think are locked to the outside world. Companies create records of every decision they make, whether it's rolling out new products, pursuing acquisitions, fighting legislation or foiling rivals.

Although it's easy technologically to limit who in a company sees specific types of information, many companies leave access settings far too open.

And even when security technology is doing its job, it's a poor match if someone with legitimate access decides to go rogue.

Despite the repeated warnings, many large companies lack clear policies on who should have access to certain data, said Christopher Glyer, a manager with Mandiant Corp., a security firm based in Alexandria, Va., that investigates computer intrusions.

WikiLeaks argues that revealing details of companies and governments behaving badly, no matter how the information is obtained, is good for democracy.

Julian Assange, WikiLeaks' founder, told Forbes magazine that the number of leaks his site gets has been increasing "exponentially" as the site has gotten more publicity. He said it sometimes numbers in the thousands a day.

Assange told Forbes that half the unpublished material his organization has is about the private sector, including a "megaleak" involving a bank. He would not name the bank, but he said last year in an interview with Computerworld that he has several gigabytes of data from a Bank of America executive's hard drive. One gigabyte can hold nearly 700,000 pages of text.

Assange also told Forbes that Wikileaks has "lots" of information on BP, which has been under fire for the massive Gulf of Mexico oil spill. Assange said his organization is trying to figure out if its information on BP is unique.

Companies have many options technologically to protect themselves.

Alfred Huger, vice president of engineering for security firm Immunet Corp. in Palo Alto, Calif., said companies could simply configure their e-mail servers to restrict to whom certain people can send documents.

Other measures include prohibiting certain people from copying and pasting from documents, blocking downloads to thumb drives and CDs, and deploying technologies that check if executives' e-mail messages are being checked too often — a sign that an automated program is copying the contents.

But the more companies control information, the more difficult it is for employees to access documents they are authorized to view. That cuts productivity and increases costs in the form of the additional help from technicians.

"You run the risk of creating an environment that's so rigid that people can't do their jobs," Huger said. "You have to find that balance. Unfortunately, there's no panacea against it."